Application security, made easier.

• LiteLLM guardrails endpoint sandbox escape enables authenticated RCE10 Apr 2026

  CVE-2026-40217 reports a High LiteLLM guardrails sandbox escape where authenticated API users bypass regex filtering via bytecode rewriting to execute arbitrary server-side code.

• Axios patches NO_PROXY normalization bypass enabling SSRF9 Apr 2026

  CVE-2025-62718 discloses a Critical Axios NO_PROXY hostname normalization bypass affecting `axios < 1.15.0`, enabling proxy misrouting and practical SSRF to loopback/internal services.

• Jetty patches JASPI ThreadLocal auth context leak8 Apr 2026

  A new High-severity Jetty flaw can leak JASPI authentication state across requests on the same thread, breaking access control and enabling privilege escalation in affected branches.

• Vault fixes token exposure to auth plugin backends17 Apr 2026
• Sandbox escape in Cortex Code CLI enables local code execution16 Apr 2026
• Fastify middie patches child-scope middleware auth bypass16 Apr 2026
• SAML assertion bypass lets attackers mint Cloud Foundry UAA tokens16 Apr 2026
• High-severity XXE disclosed across multiple WSO2 products16 Apr 2026

Deep dives on how attacks work, real-world impact, and prevention guidance. Got a topic request? Let us know.

• Authentication
• Business Logic Abuse
• Command Injection
• Cross-Origin Resource Sharing (CORS)
• Cross-Site Request Forgery (CSRF)
• Cross-Site Scripting (XSS)
• File Upload Security
• Insecure Direct Object References (IDOR)
• JSON Web Tokens (JWT)
• Mass Assignment
• Password Storage
• Path Traversal
• Prompt Injection
• Prototype Pollution
• Row-Level Security Patterns for Postgres
• Secure Software Development Lifecycle
• Server-Side Request Forgery (SSRF)
• Session Management
• SQL Injection
• Template Injection
• Threat Modeling

A free, local-first threat modelling tool. Map your system, identify threats, assign risk ratings, and track mitigations - all in the browser with no data leaving your machine. Export to PDF, generate AI prompts, and map threats to Cyber Essentials controls.

A lightweight security fundamentals assessment. 10 yes/no questions you can answer in 5 minutes to benchmark your AppSec baseline, identify quick wins, and track improvements over time. Export a PDF report to share with leadership.

Practical, task-focused playbooks and checklists you can use right away.

• Communicating AppSec Risk to Leadership
• Cyber Essentials for Development Teams
• Supply Chain Security Fundamentals
• API Key Security Best Practices
• How to Secure Next.js
• JWT Security Best Practices
• LLM Tool-Calling Security
• mTLS vs JWT vs OAuth for Service Auth
• Next.js CSP Configuration
• Next.js Security Checklist
• Next.js SSRF Protection
• OAuth 2.0 Security Best Practices
• Prompt Injection Prevention
• Rate Limiting in Node.js
• Secrets Management in GitHub Actions
• Secure File Uploads in Node.js
• Secure Password Storage (bcrypt vs Argon2)
• Secure Session Management
• Secure Webhook Verification
• Securing RAG Pipelines
• Service-to-Service Authentication Best Practices
• SQL Injection Prevention with Prisma
• Webhook Replay Attack Protection

A hands-on, lifecycle-first journey through application security. Six pathways follow the software lifecycle - from building a security mindset to breaking your own apps before someone else does.

1. 1
   ThinkBuild a security mindset: threats, boundaries, and intent.5 lessons
2. 2
   CodeWrite secure code: injection, auth, validation, and defence in depth.8 lessons
3. 3
   BuildDesign systems that defend themselves: frameworks, APIs, and architecture.6 lessons
4. 4
   ShipSecure the pipeline: CI/CD, dependencies, containers, and provenance.6 lessons
5. 5
   RunDetect and respond: logging, monitoring, incidents, and compliance.6 lessons
6. 6
   BreakFind what others miss: testing, review, and offensive techniques.6 lessons

Searchable CVE records with CVSS scores, severity filters, and affected-product lookups. Filter by critical/high severity, recently published, or recently updated.